Where and How to Find Vulnerabilities

POSSIBLE VULNERABILITIES

WHAT TO CONSIDER

Patrons can access the staff network

Use your networking equipment (e.g., router, switch, firewall) to create separate sub­-networks for patron computing and staff computing. Network administrators often use Virtual LANs (VLANs) and firewalls to accomplish this. This step is especially important if you have a wireless network for patrons. Some of those laptops will be riddled with viruses and malware. Also, while most patrons have no interest in hacking your network, there's no point in tempting them. For more information on wireless security, see Chapter One of Recipes for a 5-Star Library.

You don't have control of critical data

Where do you keep your patron data, circulation records, financial documents, staff documents and critical databases? Make sure you have a list of all the mission­-critical data collections in your library, where they're stored, how they're backed up and who has access to them.

You haven't secured your servers

Devices that connect directly to the Internet must be secured. Do you have servers (e.g., Web servers or e­mail servers) exposed to the Internet or your public network? Have the servers been "hardened" by removing all unnecessary applications, services and user accounts? You should not have a Web server that has additional services running beyond what it needs to complete its primary function. The exact steps for hardening a server depend on your configuration, but you should look for advice and see if there are any software tools that might help (e.g., the Microsoft Baseline Security Analyzer).

You aren't taking basic precautions

All PCs should have the latest operating system updates, the latest software patches and up ­to ­date virus definitions. As much as possible, try to automate these updates so they aren't forgotten. For more information, see Chapter Two of A Cookbook for Small and Rural Libraries.

You haven't paid attention to physical security

Who has the keys to your building? Are there locks on your server room? Who has keys to that room? Do you have any computers in far-off corners of the library where your staff has a hard time seeing them? If you check out laptops and other equipment to the public, have you thought about theft prevention?

We've heard a few horror stories about libraries who thought they had backups, only to find that the backup tapes were blank or unusable. For more information, see Worst Practices: Don't Test Your Backups at TechRepublic.

Many surveys show that internal security breaches are the most common type. Departing, bored and disgruntled employees are potential problems that we sometimes overlook. Design your network with limited and appropriate access. Create policies regarding the process for changing of passwords. When an employee leaves, delete or suspend their user accounts immediately.

Your staff doesn't understand the risks of social engineering

Social engineering is a technique that hackers use to trick people into divulging private, secure information. It's still one of the leading causes of security breaches. For example, an employee might receive a phone call from someone who claims to work for your Internet service provider or other technical support. The caller says that he's fixing a problem and needs the user's password to test a possible solution. The employee hands over the information without verifying the caller's identity.